Dengue | |
---|---|
Type | File virus |
Creator | Griyo |
Date Discovered | 2000.04.20 |
Place of Origin | Madrid, Spain |
Source Language | Assembly |
Platform | MS Windows |
File Type(s) | .dll, .exe |
Infection Length | 10,853 bytes |
Dengue is a virus coded by GriYo, appearing in issue 5 of 29A magazine. It was considered one of the most complex viruses of its time. It has many similarities to Griyo's previous virus, CTX.
Behavior
Dengue may not always run when an infected file is executed. A particular function of the infected program must be called for the virus to run, and this function is randomly selected by the previous instance of the virus. The virus runs when that function is executed, and it executes a CALL instruction to the virus's decryptor.
Decryption may have taken a while on the computers of the time, as Dengue has several polymorphic layers and is 10,853 bytes long. Its encryption method uses a byte, word, or dword key with the methods XOR, NOT, SUB, ADD and INC among others. There are cases in which the virus will become visible and therefore easy to detect, but in a majority of cases, it will be encrypted.
Dengue's primary targets are Windows GUI executables and Explorer.exe is its primary target and host. Explorer.exe since Windows 9x is always in memory. To avoid heuristic detection, it uses checksums to call the APIs it needs to infect, rather than the API strings themselves. It infects the Explorer API DefWindowProcA. It infects new files from there.
It will avoid files that are not GUI applications or DLL's and any files beginning with the letters DR, PA, RO, VI, AV, TO, CA, IN, MS, SR, SP, RP, PR, NO, CE, LE, MO, SM, DD, SO, SQ, EX, IE, CM and CO. Like CTX, it avoids files protected by the System File Check. The virus will infect a new file every five minutes. If the last section of a particular PE file is relocation, the virus overwrites the relocation area and turns off the base relocation field in the headers. Otherwise, it appends itself to the last section of the PE image. The virus looks for a random place in the code section to place its polymorphic decryptor.
The size of infected files will always be divisible by 101. In many cases, Dengue will not change the size of the infected file. The virus contains garbage instructions meant to hide the decoding of the virus body. It also tries to protect itself from antivirus programs by deleting the checksum files of several antivirus programs such as avp.crc, anti-vir.dat, chklist.cps, chklist.ms, and ivp.ntz.
The virus contains the following text that can be seen when it is decrypted:
[ Dengue Hemorrhagic Fever BioCoded by GriYo / 29A ]
Disclaimer: This software has been designed for
research purposes only. The author is not
responsible for any problems caused due to improper
or illegal usage of it.
Dengue may cause a page fault error in Explorer. This is sometimes something the system can recover from.
Origin
The virus was coded in Assembly in Madrid, Spain by Griyo of the 29A VX magazine. It appeared on Griyo's home page in April of 2000. It's full source code appeared in issue 5 of 29A magazine.
Variants
Some antivirus products consider Dengue a variant of CTX because of the similar code and functionality. In addition to the original 10,853 byte strain, there is a variant weighing in at 15,456 bytes.
Effects
Dengue was never seen in the wild. It also has no deliberately destructive payload and the way the virus is coded may cause it to spread slowly. The most damage it is capable of is some issues with Explorer. It is unlikely to have ever caused any damage.
Name
Dengue is named for Dengue Hemmoragic Fever, a virus carried by mosquitos in the tropics. The assembly source for the virus contains a long description of the human virus. The word is of Spanish origin, though where the Spanish got it from is a mystery, possibly the Swahili phrase "Ka-dinga pepo", describing a disease being caused by an evil spirit.
Sources
GriYo. 29A Magazine, Issue 5, Dengue Hemorrhagic Fever. 2000
Peter Szor. Symantec, W32.Dengue. 2007.02.13
Kaspersky Lab. SecureList.com, Virus.Win32.CTX.10853.